COPPA and Children's Privacy: What Parents Should Know and Do

Aug 20, 2020, 09:00 AM by BBB National Programs

As a parent, it can be difficult to keep up with all the ways your child uses technology. From board books to iPads, weekend cartoons to YouTube, even traditional schooling has had to adapt to online classes. Trying to stay on top of what your child is watching, what ads they are seeing, and what is happening with their data can be overwhelming, but understanding COPPA, the Children’s Online Privacy Protection Act, can help.  

COPPA was passed in 1998 with the goal of putting control over the online collection of children’s personal information into the hands of parents. This legislation regulates how online services like websites and mobile apps collect, use, and share personal information from children under 13. COPPA also gives the Federal Trade Commission (FTC) the power to enforce the law, usually by issuing fines to online services that are not compliant. 

 

What is personal information? 

 

COPPA helps protect a child’s personal information, which is the information that identifies that you are you.  

 

Some personal information is obvious. Other information is collected without you seeing it happen. 
  • First and last name 

  • Home or other physical address (street name and name of a city or town) 

  • Online contact information (such as an email address; anything that permits a child to be contacted online) 

  • Screen or username (when it functions as online contact information) 

  • Telephone number 

  • Social Security number 

 

  • Persistent identifier that can be used to recognize a user over time and across different websites or online services. Persistent identifiers include, but are not limited to, a customer number held in a cookie, an Internet Protocol (IP) address, a processor or device serial number, or unique device identifier 

  • A photograph, video, or audio file containing a child's image or voice 

  • Geolocation information sufficient to identify street name and name of a city or town; (or precise location) 

  • Any information about the child or the parents of that child that the operator collects online from the child and combines with any other personal information as outlined above 

 

Child-Directed, Notice, and Verifiable Parental Consent 

 

COPPA protects a child’s personal information for “child-directed” content. “Child-directed” is a term that means an online service is targeted exclusively or in part to children. For example, a gaming website that only provides games made for young children could be child-directed, but so could a gaming website that provides games made for both young children and teens.  

On these websites, platforms, and in these child-directed apps, COPPA applies.  

By contrast, general audience online services are not targeted to children at all, even though some children may still visit the site. If a website or app seems to be general audience rather than child-directed, the service may not have COPPA protections in place for children’s personal information.  

For example, most social media services like Instagram, SnapChat, and Twitter don’t allow children under 13 to be on their service and state that in their Terms of Service. As a result of requiring that all users be over the age of 13, there are no extra privacy protections for children that these social media services are obligated to provide.  

So as a parent, if you want to assess the online service or app that your child is using, step one is to check out the Terms of Service to see whether children should be using the service at all.  

When the FTC reviews an app, website, or other online service to determine if it should be considered child-directed content or not, here are some of the factors that are being taken into consideration: 

  • Subject matter that is likely intended for children, such as youth arts and crafts or toys and games. 

  • Visual content, for example bright colors or cartoons. 

  • Use of animated characters or child-oriented activities/incentives, like coloring. 

  • Music or other audio content that appeals to children, like the ABC song. 

  • Age of models on the service or platform. If a website depicts only children using their product or playing their games, that may be a good indicator the website is targeted to children. 

  • Presence of child celebrities/celebrities that appeal to children, such as a character from a popular children’s TV show, like Elmo. 

  • Language and other characteristics of the online service, such as using simple words, shorter sentences, and large text to make it easily accessible to children. 

  • Advertising placement promoting the service. For example, if a gaming app places an ad during children’s daytime programming on TV, that app is targeting children.  

 

Content creators across platforms, whether creating content for an advertisement or a video for YouTube, should be taking the above criteria into consideration when creating their content and determining where it will be placed online.   

Once a platform, website, or other online service is identified as “child-directed,” COPPA requires that that service or platform take three steps: 

  1. Include a notice that describes how they collect, use, and disclose children’s personal information that they have collected through use of the service. This notice can typically be found in the online service’s privacy policy; some services even have a separate privacy policy that is dedicated to explaining how they handle children’s information.

  2. Online services also must provide a direct notice to the parent or guardian that explains the same information, which is usually sent via email when a child signs up for the service. The direct notice should be sent to you even if the service does not collect or use the child’s personal information.

  3. In addition to providing notice, an online service must get your consent via a verifiable method before they can collect, use, or share any of your child’s personal information. This is called verifiable parental consent, or VPC.  


How will online services ask for this? Some services directed to children only collect persistent identifiers (such as cookies) to use in their internal operations, such as serving contextual ads on their site or performing site analytics and maintenance. In that case, if they are not collecting other types of personal information or sharing it with third parties for external uses, the service may ask your child for your email address. Then, they send you an email with a confirmation link or similar way to “activate” your child’s account. The FTC refers to this as the “email plus” method of consent.  

Sometimes online services directed to children collect other personal information or share it with third parties for behavioral advertising and other uses. In those circumstances, they can obtain VPC by asking the parent to call a toll-free number, videoconference with staff, sign and return a consent form, or by entering a credit or debit card to confirm you really are the child’s parent/guardian. 

The purpose of VPC is so that parents can be informed of the privacy and data practices of the online services their child is using, as well as how you can contact the site to review their children’s data or have the data deleted. 

 

If You See Something, Say Something  

 

Now that you know more about COPPA, what can you do if you notice something fishy about a service your child is using? If there is anything about the advertising or privacy practices on a child-directed site that you think doesn’t follow COPPA, you can file a complaint with us at CARU here, or by emailing us at infocaru@bbbnp.org. The complaint goes directly to CARU staff who will investigate the complaint and take necessary steps to make sure the issue is rectified.  

Other Blog Articles

Blog

CARU's Tips for Parents: Safe and Efficient Holiday Shopping

2020 has been a year unlike any other. In a time of great uncertainty, facing the holidays can feel be daunting. When it comes to holiday shopping, it is safe to say that many of us will be primarily shopping online this year. To help ensure your online holiday shopping experience is safe and efficient this holiday season, the Children’s Advertising Review Unit (CARU) team has put together some tips and red flags to consider when making those all-important gift selections.
Read more
Blog

After Seven Months, the Verdict is in: Fast-Track SWIFT is Fast and Fair

The National Advertising Division (NAD) Fast-Track SWIFT advertising challenge process launched seven months ago as a faster way to resolve single-issue cases. The process has kept its promise of fast and fair decisions. This blog covers lessons learned and best practices gathered by the NAD team since the launch of SWIFT.
Read more
Blog

Monetization: The Privacy Risks and Rewards of In-App Purchases and IBA

Every day, teens download apps for free on the Google Play and Apple App Stores and, in doing so, participate in a hidden advertising ecosystem that collects data from them. In-app purchase options and behavioral advertising further complicate things. Though these monetization models have caused the mobile app economy to flourish, they sometimes come at the cost of user privacy.
Read more
Blog

Risky Business: A New Study Assessing Teen Privacy in Mobile Apps

Teen privacy is more at risk online than ever. The TeenAge Privacy Program (TAPP) new whitepaper, Risky Business: The Current State of Teen Privacy in the Android App Marketplace, examines how teens put themselves at risk when they engage with mobile apps.
Read more